如何下载与IAM用户帐号的EC2 X.509证书？ [英] How to download an EC2 X.509 certificate with an IAM User account?

问题描述

通过AWS身份和访问管理，我有一个用户帐户的AWS帐号我的CTO（谁是贷一些钱）的。

Through the AWS Identity and Access Management, I have a user account to the AWS account of my CTO (who is credited with some money).

我想用这个IAM用户帐户来建立自己的情况下，ssh到它，并运行一些BeautifulSoup的Python脚本。

I wanted to use this IAM user account to set up my own instances to ssh to it and run some BeautifulSoup python scripts.

然而，随着本教程，到达的地方，我需要去上的Security凭证页，我不能访问这个页面，我告诉我没有授权进行查看。

However, following this tutorial, when arriving to the part where I need to go on the Security Credentials page, I can't access this page and I'm told I do not have the authorization to view it.

我检查我的权限与IAM经理，我有管理权限，最高的间隙（所以在我看来）。

I checked my permissions with the IAM Manager, and I have administration rights, the highest possible clearance (so it seems to me).

我能做些什么来得到这个X.509证书？

What can I do to get this X.509 certificate ?

推荐答案

首先，你可能要重新考虑你是否真的需要这些X.509证书 - 该教程是正确的原则：

Preface

First and foremost, you might want to reconsider whether you actually need these X.509 certificates - the tutorial is correct in principle:

有三种类型：访问密钥，X.509证书和密钥对。   第一和第二类允许您连接到亚马逊的API。   凭证哪种类型取决于哪个API和工具，你正在使用。   一些API和工具支持这两个选项，而其他人只是支持   之一。

There are three types: access keys, X.509 certificates and key pairs. The first and second type allow you to connect to the Amazon APIs. Which type of credential depends on which API and tool you are using. Some APIs and tools support both options, whereas others support just one.

然而，时下最先进的API和工具与AWS通过访问键的手段而已，而不是X.509证书进行交互。

However, nowadays most modern APIs and tools are interacting with AWS by means of access keys only rather than X.509 certificates.

<打击>不幸的是，这是不是为EC2 API工具的教程，虽然基础，这的确需要使用X.509证书，由于基于旧的EC2 SOAP API仍然是（主要）的情况。

更新：在EC2 API工具同时支持AWS访问键以及和<一href="http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/setting_up_ec2_command_linux.html#set_aws_credentials_linux">de$p$pcated使用X.509证书相应：

Update: The EC2 API Tools meanwhile support AWS access keys as well and deprecated using X.509 certificates accordingly:

虽然我们不鼓励它，在有限的时间，你仍然可以使用   EC2_PRIVATE_KEY和EC2_CERT而不是AWS_ACCESS_KEY和   AWS_SECRET_KEY。欲了解更多信息，请参阅<一德precated选项href="http://docs.aws.amazon.com/AWSEC2/latest/CommandLineReference/CLTRG-common-args-api.html">Common选项​​   对于API工具在亚马逊弹性计算云CLI   参考。如果指定了两套凭据，在命令行   工具使用访问密钥ID和秘密访问键。

Although we don’t encourage it, for a limited time you can still use EC2_PRIVATE_KEY and EC2_CERT instead of AWS_ACCESS_KEY and AWS_SECRET_KEY. For more information, see Deprecated Options in Common Options for API Tools in the Amazon Elastic Compute Cloud CLI Reference. If you specify both sets of credentials, the command line tools use the access key ID and secret access key.

您可能想看看另一种第一，虽然：如果您习惯在Python，我强烈推荐的优秀的博托（集成的接口，以当前和未来的亚马逊网络服务的提供基础设施服务），它与访问键工作得很好，提供几乎相同的功能设置为 EC2 API工具的（以及大多数其他AWS API）和进行靶向显著更快，因为较新的AWS的REST API只。

Alternative

You might want to check out an alternative first though: If you are comfortable in Python, I'd highly recommend the excellent boto (An integrated interface to current and future infrastructural services offered by Amazon Web Services), which works just fine with access keys, offers almost the same feature set as the EC2 API tools (plus most other AWS APIs) and performs significantly faster due to targeting the newer AWS REST APIs only.

AWS身份和访问管理（IAM）不支持访问实际的AWS帐号，它仅覆盖的 AWS管理控制台，当然最AWS的API。您需要登录的AWS帐号的登录名和密码（即那些帐户所有者）访问的安全凭证页。

AWS Identity and Access Management (IAM) does not support accessing the actual AWS account, it only covers the AWS Management Console, and most AWS APIs of course. You'll need to sign in with the AWS account's login and password (i.e. those of the account owner) to access the Security Credentials page.

这是不推荐了，但（看到在<一节的安全证书的href="http://docs.amazonwebservices.com/IAM/latest/UserGuide/IAM_Concepts.html#IAM_SecurityCredentials">IAM概念）：

This is not recommended anymore though (see section Security Credentials within IAM Concepts):

[...]当你创建一个AWS账号，AWS提供的   AWS帐号了自己的秘密访问密钥和访问密钥ID默认。   在AWS账户可以进行API调用AWS他们。 我们预计，   你会不会定期使用这些凭据，而是会使用它们   只有初步建立起一个管理员组为您   机构。我们建议之间的所有更多的API互动   您的AWS账户和您的AWS资源，是在用户级别（   例如，使用用户的安全凭证）。 [重点煤矿] 的

[...] when you create an AWS account, AWS gives the AWS account its own Secret Access Key and Access Key ID by default. The AWS account can make API calls to AWS with them. We expect that you won't use those credentials on a regular basis, but will use them only to initially set up an administrators group for your organization. We recommend that all further API interaction between your AWS account and your AWS resources be at the user level (for example, using users' security credentials). [emphasis mine]

然而，您仍然可以实现自己的目标使用概述第进一步向下自己的证书的 X.509证书的：

However, you can still achieve your goal by using your own certificate as outlined further down in section X.509 Certificates:

尽管可以使用IAM来创建一个快捷键，则不能使用IAM来   创建一个签名证书。但是，你可以使用免费的第三方   如OpenSSL工具创建证书。 [...]当你有   签名证书，则必须将其上传至IAM; [...]

Although you can use IAM to create an access key, you can't use IAM to create a signing certificate. However, you can use free third-party tools such as OpenSSL to create the certificate. [...] After you have the signing certificate, you must upload it to IAM; [...]

如何真正做到后者则说明载签名证书。

How to actually do the latter is illustrated in Uploading a Signing Certificate.

这篇关于如何下载与IAM用户帐号的EC2 X.509证书？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！